FEATURE: 'reply by email address' validator

Prevent infinite email loophole when the 'reply_by_email_address' site setting is the same as the 'notification_email'.
2025-05-21 18:12:32 +08:00 · 2015-02-06 12:08:37 +01:00
parent 4db3caec7c
commit f7d2fc0524
6 changed files with 72 additions and 16 deletions
--- a/spec/components/validators/reply_by_email_address_validator_spec.rb
+++ b/spec/components/validators/reply_by_email_address_validator_spec.rb
@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe ReplyByEmailAddressValidator do
+
+  describe '#valid_value?' do
+    subject(:validator) { described_class.new }
+
+    it "returns true for blank values" do
+      expect(validator.valid_value?('')).to eq(true)
+      expect(validator.valid_value?(nil)).to eq(true)
+    end
+
+    it "returns false if value is not an email address" do
+      expect(validator.valid_value?('WAT%{reply_key}.com')).to eq(false)
+    end
+
+    it "returns false if value does not contain '%{reply_key}'" do
+      expect(validator.valid_value?('foo@bar.com')).to eq(false)
+    end
+
+    it "returns false if value is the same as SiteSetting.notification_email" do
+      SiteSetting.expects(:notification_email).returns("foo@bar.com")
+      expect(validator.valid_value?('foo+%{reply_key}@bar.com')).to eq(false)
+    end
+
+    it "returns true when value is OK" do
+      SiteSetting.expects(:notification_email).returns("foo@bar.com")
+      expect(validator.valid_value?('bar%{reply_key}@foo.com')).to eq(true)
+    end
+
+  end
+
+end